A sophisticated Golang-based backdoor family now tracked as GigaWiper that fuses extensive C2 controls with multiple destructive payloads.
What makes GigaWiper noteworthy is not merely its destructive capacity but how it packages several formerly separate wipers and extortion tools into a single modular implant.
That consolidation enables operators to switch destruction modes on demand physical-disk wipes, fake ransomware that renders files unrecoverable, multi-pass secure wiping while maintaining persistent, remotely controlled access.
One persistence mechanism observed is deceptively simple: the implant creates a scheduled task named “OneDrive Update” and uses a registry key at HKCUSOFTWAREOneDriveEnvironment to track executions.
On first run it writes the key and creates the OneDrive Update scheduled task, configured to run every minute and at startup.
Subsequent runs detect the registry value, increment it, and behave as an expected scheduled-task child process an operational choice that reduces suspicion and leverages a trusted Windows scheduler for persistent destructive access.
The standalone component actively enumerates physical disks via WMI, identifies the Windows installation drive, removes partition metadata from non‑system drives using DeviceIoControl (IOCTL_DISK_CREATE_DISK), overwrites raw disk sectors in large chunks with randomized-first-byte buffers, and forces an immediate restart.
Embedded within the backdoor as command 1 (WipeMain) is identical functionality, while command 12 (WipeCMain) offers a C-drive–only, multi-pass secure wipe.
A third destructive command reproduces Crucio-derived logic: a “ransomware” routine that AES-CBC encrypts files with randomly generated keys that are never saved, renames victims’ files with a .candy extension, and drops no viable recovery path functionally a wiper masquerading as extortion.
Microsoft Threat Intelligence identified that GigaWiper appears in two primary sample forms: compact standalone wipers and larger Golang PE backdoors that subsume the standalone code as commands.
GigaWiper Uses OneDrive Update
C2 and operational telemetry are robust. GigaWiper uses RabbitMQ over AMQP for command distribution and Redis for status and output reporting.
The wiper’s main.main routine implemented in the backdoor as the rabbit_tools_tool_wipe_main.WipeMain function.
The implant decrypts a hard-coded AES-protected configuration containing C2 endpoints and credentials; observed infrastructure included addresses like 185.182.193[.]21 on nonstandard ports.
The RabbitMQ design uses a fanout exchange named “All” for broadcast commands and a topic exchange “Topic” for targeted tasks, with commands modeled as structured Task and Result objects.
This messaging approach scales control across many infected hosts while enabling per-host targeting when required.
Beyond wiping and fake-ransom features, GigaWiper implements broad remote‑access and system‑management capabilities: process and service management, registry navigation and persistent sessions, file upload via the MinIO client, screenshotting and screen recording, keylogger and VNC-like remote control, event-log clearing.

Code overlap and shared strings link GigaWiper to at least three prior families: a standalone wiper, Crucio-like extortion code (BigBangExtortMain), and FlockWiper, the latter reimplemented from C into Golang access for inclusion as WipeCMain.
PDB path artifacts referencing “GRAT” further tie these components together and suggest a common developer or framework across iterations.
Defenders should prioritize blocking the identified C2 infrastructure, enforcing tamper protection and always-on EDR, and preventing unauthorized Scheduled Task creation and registry modifications from nonprivileged contexts.
Microsoft published detections and mitigations in its GigaWiper advisory and Defender telemetry; organizations should map those indicators to network and endpoint controls and enable cloud-delivered protections to catch evolving variants.
The GigaWiper campaign underscores a shift: destructive tooling is migrating from single-purpose wipes to modular, remotely orchestrated platforms that combine stealthy persistence such as a “OneDrive Update” scheduled task with the ability to weaponize multiple, interchangeable wiping techniques on demand.
Indicators of compromise
| Indicator | Type | Description |
| 633d4cbd496b1094495da89a64f5e6c31a0f6d4d1488411db5b0cba1cfe42001 | SHA-256 | GigaWiper backdoor |
| ce9ad5f6c12019f4aae5b189bd8ddf5bb09e75b06a0a587b25a855c65948c913 | SHA-256 | GigaWiper backdoor |
| f622ed85ef31ad4ab973f4e74524866fe1bb44f0965ad2b2ad796cd657a05bfd | SHA-256 | GigaWiper backdoor |
| 9706a192e2c1a1faaf0a521daf31c2af60ff4590e3f47bbb4abc227f42af0683 | SHA-256 | GigaWiper backdoor |
| 3c30deb6556a94cfb84ae51798f4aecfae8c7358e55fdb321c5f2376579631cd | SHA-256 | GigaWiper standalone wiper |
| 440b5385d3838e3f6bc21220caa83b65cd5f3618daea676f271c3671650ce9a3 | SHA-256 | Crucio |
| 12c39f052f030a77c0cd531df86ad3477f46d1287b8b98b625d1dcf89385d721 | SHA-256 | FlockWiper |
| db41e0da7ab3305be8d9720769c6950b4dc1c1984ef857d3310eb873a0fc7674 | SHA-256 | FlockWiper |
| 185.182.193[.]21 | IP address | GigaWiper C2 |
| 212.8.248[.]104 | IP address | GigaWiper C2 |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Stop Accepting SLAs Written for 2019 SOCs – Here’s the 2026 AI SLA Vendor Checklist – Download Free AI SOC SLA Guide

